On August 12, the Cybersecurity and Infrastructure Security Agency (CISA) added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog—two of them first disclosed during the George W. Bush and Obama administrations. Federal civilian agencies have until August 26, 2025 to patch or mitigate CVE-2013-3893, a use-after-free bug in Internet Explorer’s mshtml engine; CVE-2007-0671, a remote code execution flaw in Microsoft Excel; and CVE-2025-8088, a path-traversal zero-day in WinRAR. The move forces not just federal entities but all security-conscious organizations to revisit their legacy software inventory and update processes, as attackers continue to blend ancient and brand-new exploits in real-world campaigns.
The additions are the latest in a string of KEV updates that force organizations to confront the uncomfortable reality that attackers still weaponize ancient code-execution bugs alongside freshly minted zero-days. Under Binding Operational Directive 22-01, the KEV catalog mandates remediation of vulnerabilities with confirmed active exploitation, not just high CVSS scores. This practical triage tool cuts through the noise of tens of thousands of CVEs, but it also creates acute operational pain when older products are flagged and patches or mitigations are incomplete.
A 2013 Ghost Haunts Internet Explorer’s Engine
CVE-2013-3893 is a use-after-free vulnerability in Microsoft’s mshtml (Trident) rendering engine that can be triggered via crafted JavaScript and specially constructed content, allowing remote code execution in the context of the logged-in user. Originally addressed in Microsoft security bulletin MS13-080 released in October 2013, the flaw was one of nine memory corruption vulnerabilities patched that month. Microsoft’s bulletin explicitly warned that it was aware of “targeted attacks that attempt to exploit this vulnerability in Internet Explorer 8 and Internet Explorer 9.” The update modified how Internet Explorer handles objects in memory to close the attack vector.
Yet nearly twelve years later, CISA’s decision to list the CVE signals that threat actors have found practical attack paths—often via legacy integrations, email attachments, or weaponized documents—making the vulnerability relevant again despite its age. The mshtml component remains embedded in countless legacy enterprise applications, embedded viewers, and compatibility layers long after Internet Explorer’s market share evaporated. For defenders, this means a routine patch from 2013 may have been missed on systems that seemed to have shed IE, but still load mshtml.dll under the hood.
Administrators should review legacy browser usage, disable or block mshtml-based components where feasible, and apply available OS and browser updates. For systems that cannot be patched immediately, isolation and application whitelisting remain critical compensating controls. The original Microsoft advisories, including the Fix-It workaround documented in KB2879017, remain authoritative for technical details.
The Excel Bug That Refuses to Die
CVE-2007-0671 is a remote code execution vulnerability in Microsoft Excel that stems from malformed record parsing. The flaw was patched in MS07-015 in February 2007, but its inclusion in the KEV catalog nearly two decades later indicates renewed, observable exploitation—most likely via targeted email lures or malicious attachments. When a victim opens a specially crafted workbook, attacker-supplied code can run with the user’s privileges, potentially leading to full system compromise.
This CVE persists in environments where legacy Office versions remain in use, particularly in government, industrial, or regulated sectors that are slower to upgrade. Modern mitigations like disabling macros by default, restricting opening of legacy file formats, and employing Office file sanitization and sandboxing are essential, but they are not always uniformly applied. Where unpatched Office versions persist, isolating machines that must run them is a practical interim control. Email gateway checks to block malicious attachments add another layer of defense.
A Fresh Zero-Day in WinRAR Exploited by RomCom
CVE-2025-8088, the lone newcomer in this batch, is a path traversal and alternate-data-stream (ADS) exploitation vulnerability in WinRAR’s core components, including UnRAR.dll. ESET researchers discovered the zero-day in July 2025, documenting attacker usage that places malicious files into sensitive locations during extraction—including autorun paths—enabling persistence and payload execution. The Russia-linked group tracked as RomCom (UNC2596/Storm-0978) has been observed weaponizing RAR archives in spear-phishing and targeted espionage.
WinRAR’s publisher released version 7.13 to address the issue, but the software does not implement automatic updates. Every installation must be manually patched, leaving a long tail of vulnerable systems. Security teams should immediately audit all endpoints for WinRAR and any third-party tools that bundle UnRAR.dll, then enforce manual updates to version 7.13 or later. Additional mitigations include treating incoming archives from untrusted sources with suspicion, inspecting RAR contents in sandboxes before extraction, and employing endpoint detection rules that flag abnormal autorun writes.
Operational Impact: Why Mixed-Age CVEs Are the Hardest to Fix
Organizations face three recurring operational challenges when KEV entries include both legacy and modern flaws:
- Patch availability vs. deployment friction. Older products may have patches, but applying them risks breaking legacy workflows. Where patches are unavailable, removal or isolation is necessary.
- Asset visibility. Many enterprises lack a complete inventory of systems that embed older components like mshtml or UnRAR.dll, making prioritization difficult without accurate asset data.
- Human factors. Attackers exploit user behavior (opening attachments, extracting archives) that automated tooling alone may not prevent; training and policy enforcement are still necessary complements to technical controls.
Windows forum communities and IT teams have reacted quickly to KEV updates, trading remediation playbooks and patching experiences—a sign that operators are already triaging these entries across heterogeneous environments. Threads show sysadmins swapping cronjobs for mass WinRAR updates, creating Office sandboxing rules, and auditing mshtml dependencies in legacy web apps. This fast information-sharing helps organizations avoid duplicated effort and exposes pitfalls (for example, third-party tools bundling old UnRAR builds) that otherwise slow remediation.
Practical Remediation Checklist
- Inventory and identification: Map all systems that run legacy Internet Explorer components, older Office installations, and applications that bundle UnRAR.dll. Use EDR and software inventory tools to find deployed libraries and binary versions.
- Apply vendor patches where available: For WinRAR, manually update to version 7.13 or later. For Microsoft products, ensure affected Windows and Office patches from MS13-080 and MS07-015 are applied or mitigation controls are in place.
- Isolate systems that cannot be patched immediately: Network segmentation, removal from sensitive networks, or staging behind strict proxies reduces exploitation risk while remediation is planned.
- Apply temporary mitigations: Block or filter suspicious RAR attachments at mail gateways, disable legacy file handling in Office, and restrict or sandbox archive extraction on endpoints.
- Enhance detection: Deploy YARA/EDR rules to flag unusual writes to autorun locations or extraction of ADS-based filenames; tune IDS/endpoint telemetry to alert on mshtml crashes and odd Excel process behavior.
- Communicate and document: Notify stakeholders, track remediation progress per BOD 22-01 timelines (for federal entities), and log compensating controls for auditors.
Risk Analysis: Strengths and Weaknesses of CISA’s Approach
- Strengths: The KEV catalog’s laser focus on observed exploitation materially reduces the operational noise for defenders. By requiring concrete evidence before listing a CVE, CISA ensures urgency is reserved for real threats rather than hypothetical worst-case issues. The KEV’s mandate and timelines have also driven better cross-agency patching discipline.
- Weaknesses and risks: The KEV can create acute resource pressure when it includes widely deployed legacy components, forcing rushed upgrades that may break critical services. There is also the perennial challenge of reactive bias: attackers often scan the KEV list and adapt, weaponizing unlisted but related flaws or chaining lower-visibility CVEs with KEV entries. Finally, vendor patching behavior—especially for products without auto-update (e.g., WinRAR)—can slow mitigation uptake.
Strategic Guidance for Security Leaders
- Treat KEV entries as immediate priorities within your vulnerability management program and map them against critical business assets. Use the KEV Catalog as an input to your risk model, not the only input.
- Build or maintain a precise software bill of materials (SBOM) and runtime inventory. Identifying where mshtml or UnRAR.dll are present is half the battle.
- Automate patch orchestration and testing pipelines where possible. Manual updates (WinRAR) require endpoint coordination and communications to prevent stale installs.
- Adopt layered defenses: network segmentation, email attachment sanitization, application allow‑listing, and robust EDR detection are all necessary to defend against both zero‑day exploitation and social engineering that triggers legacy bugs.
- For organizations under BOD 22‑01, document remediation steps and reporting to comply with timelines. For others, adopt similar internal SLAs to reduce attack surface quickly.
Community Response and Operational Anecdotes
Windows-focused IT communities have already circulated practical mitigations and staging plans for these KEV additions. Forum threads demonstrate sysadmins swapping cronjobs for mass WinRAR updates, creating Office sandboxing rules, and auditing mshtml dependencies in legacy web apps. This fast information-sharing helps organizations avoid duplicated effort and exposes pitfalls—for example, third-party tools bundling old UnRAR builds—that otherwise slow remediation. The collective push underscores a maturing defender ecosystem that treats KEV alerts as immediate actionable intelligence rather than abstract warnings.
Conclusion: Immediate Actions That Matter
CISA’s August 12, 2025 KEV update is a clear operational alarm: attackers continue to profit from both old and new vulnerabilities. The combination of CVE-2007-0671, CVE-2013-3893, and CVE-2025-8088 in a single KEV update underscores two immutable truths of cybersecurity—attackers will reuse reliable tools when they work, and defenders must prioritize practically exploitable flaws over theoretical severity scores.
The most effective immediate steps for Windows administrators and risk owners are straightforward: inventory affected components, deploy vendor patches (or implement isolation if patches aren’t possible), harden file-handling and extraction workflows, and tune detection for the behaviors associated with these flaws. Organizations that move quickly and methodically will not only meet regulatory expectations where applicable, but will also blunt the operational impact of attackers who rely on predictable exploitation paths.